Talos Vulnerability Report

TALOS-2016-0226

Nitro Pro 10 PDF Handling Code Execution Vulnerability

February 3, 2017

CVE Number

CVE-2016-8713

Summary

A remote out of bound write / memory corruption vulnerability exists in the PDF parsing functionality of Nitro Pro 10.5.9.9. A specially crafted PDF file can cause a vulnerability resulting in potential memory corruption. An attacker can send the victim a specific PDF file to trigger this vulnerability.

Last memory access (instruction at 0x268C7D) is causing the exception to trigger.
Instruction at 0x268C7D is using RAX register value to calculate the final memory address.
RAX value is calculated by reading 32-bit memory from [r9+0x800] (with sign extension).
Value at [r9+0x800] in this case is 0xABABABAB which is Microsoft's HeapAlloc() mark of "no man's land"
guard bytes after allocated heap memory. In other words this memory should be never referenced in the
first place. This value is later increased by r10 value (address 0x268C77) and multiplied by 2 (address 0x268C7A).